OWASP_2017_A05 on ZAP

Absence of Anti-CSRF Tokens

Mon, 01 Jan 0001 00:00:00 +0000

No Anti-CSRF tokens were found in a HTML submission form. A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.

Access Control Issue - Improper Authentication

Mon, 01 Jan 0001 00:00:00 +0000

Insufficient Authentication occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Web-based administration tools are a good example of web sites providing access to sensitive functionality. Depending on the specific online resource, these web applications should not be directly accessible without requiring the user to properly verify their identity.

Access Control Issue - Improper Authorization

Mon, 01 Jan 0001 00:00:00 +0000

Insufficient Authorization results when an application does not perform adequate authorization checks to ensure that the user is performing a function or accessing data in a manner consistent with the security policy. Authorization procedures should enforce what a user, service or application is permitted to do. When a user is authenticated to a web site, it does not necessarily mean that the user should have full access to all content and functionality.

Bypassing 403

Mon, 01 Jan 0001 00:00:00 +0000

Bypassing 403 endpoints may be possible, the scan rule sent a payload that caused the response to be accessible (status code 200).

Cookie with Invalid SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with an invalid SameSite attribute value, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie with SameSite Attribute None

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set with its SameSite attribute set to “none”, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

Cookie without SameSite Attribute

Mon, 01 Jan 0001 00:00:00 +0000

A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a ‘cross-site’ request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.

CORS Header

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any other origins (domain, scheme, or port) than its own from which a browser should permit loading of resources. It relaxes the Same-Origin Policy (SOP).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

This CORS misconfiguration could allow an attacker to perform AJAX queries to the vulnerable website from a malicious page loaded by the victim’s user agent. In order to perform authenticated AJAX queries, the server must specify the header “Access-Control-Allow-Credentials: true” and the “Access-Control-Allow-Origin” header must be set to null or the malicious page’s domain. Even if this misconfiguration doesn’t allow authenticated AJAX requests, unauthenticated sensitive content can still be accessed (e.g intranet websites). A malicious page can belong to a malicious website but also a trusted website with flaws (e.g XSS, support of HTTP without TLS allowing code injection through MITM, etc).

CORS Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Cross-Domain Misconfiguration

Mon, 01 Jan 0001 00:00:00 +0000

Web browser data loading may be possible, due to a Cross Origin Resource Sharing (CORS) misconfiguration on the web server.

Cross-Site WebSocket Hijacking

Mon, 01 Jan 0001 00:00:00 +0000

Server accepted WebSocket connection through HTTP Upgrade request with modified Origin header.

Deprecated Feature Policy Header Set

Mon, 01 Jan 0001 00:00:00 +0000

The header has now been renamed to Permissions-Policy.

Directory Browsing

Mon, 01 Jan 0001 00:00:00 +0000

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files, backup source files, etc. which can be accessed to read sensitive information.

Exposed Session ID

Mon, 01 Jan 0001 00:00:00 +0000

A session id is exposed in the URL. By sharing such a website URL (containing the session id), a naive user may be inadvertently granting access to their data, compromising its confidentiality, integrity, and availability. URLs containing the session identifier also appear in web browser bookmarks, web server log files, and proxy server log files.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL in such a way that the web site will execute or reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal.

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Path Traversal

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header Not Set

Mon, 01 Jan 0001 00:00:00 +0000

Permissions Policy Header is an added layer of security that helps to restrict from unauthorized access or usage of browser/client features by web resources. This policy ensures the user privacy by limiting or specifying the features of the browsers can be used by the web resources. Permissions Policy provides a set of standard HTTP headers that allow website owners to limit which features of browsers can be used by the page such as camera, microphone, location, full screen etc.

Sec-Fetch-Dest Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Dest Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies how and where the data would be used. For instance, if the value is audio, then the requested resource must be audio data and not any other type of resource.

Sec-Fetch-Mode Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Mode Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Allows to differentiate between requests for navigating between HTML pages and requests for loading resources like images, audio etc.

Sec-Fetch-Site Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-Site Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies the relationship between request initiator’s origin and target’s origin.

Sec-Fetch-User Header Has an Invalid Value

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Sec-Fetch-User Header is Missing

Mon, 01 Jan 0001 00:00:00 +0000

Specifies if a navigation request was initiated by a user.

Session Fixation

Mon, 01 Jan 0001 00:00:00 +0000

Session Fixation may be possible. If this issue occurs with a login URL (where the user authenticates themselves to the application), then the URL may be given by an attacker, along with a fixed session id, to a victim, in order to later assume the identity of the victim using the given session id. If the issue occurs with a non-login page, the URL and fixed session id may only be used by an attacker to track an unauthenticated user’s actions. If the vulnerability occurs on a cookie field or a form field (POST parameter) rather than on a URL (GET) parameter, then some other vulnerability may also be required in order to set the cookie field on the victim’s browser, to allow the vulnerability to be exploited.

Session Fixation

Mon, 01 Jan 0001 00:00:00 +0000

Session ID Cookie Accessible to JavaScript

Mon, 01 Jan 0001 00:00:00 +0000

A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) may be accessed by JavaScript on the client. In conjunction with another vulnerability, this may allow the session to be hijacked.

Session ID Expiry Time/Max-Age is Excessive

Mon, 01 Jan 0001 00:00:00 +0000

A Session Id cookie sent by the server (when the URL is modified by setting the named parameter field to NULL) is set to be valid for an excessive period of time. This may be exploitable by an attacker if the user forgets to log out, if the logout functionality does not correctly destroy the session, or if the session id is compromised by some other means.

Session ID Transmitted Insecurely

Mon, 01 Jan 0001 00:00:00 +0000

A session id may be sent via an insecure mechanism. In the case of a cookie sent in the request, this occurs when HTTP, rather than HTTPS, is used. In the case of a cookie sent by the server in response (when the URL is modified by setting the named parameter field to NULL), the ‘secure’ flag is not set, allowing the cookie to be sent later via HTTP rather than via HTTPS. This may allow a passive eavesdropper on the network path to gain full access to the victim’s session.

Spring Actuator Information Leak

Mon, 01 Jan 0001 00:00:00 +0000

Spring Actuator for Health is enabled and may reveal sensitive information about this application. Spring Actuators can be used for real monitoring purposes, but should be used with caution as to not expose too much information about the application or the infrastructure running it.

Username Hash Found

Mon, 01 Jan 0001 00:00:00 +0000

A hash of a username (admin) was found in the response. This may indicate that the application is subject to an Insecure Direct Object Reference (IDOR) vulnerability. Manual testing will be required to see if this discovery can be abused.